# HG changeset patch # User Patrick Stewart # Date 1553093089 0 # Node ID 592a18dac2503a763dca543cfd8c633b1114f447 # Parent c4bf28ccab97c8fb7e7ad37e7fce3b088de51cc1 Support servers without multiple user support (#76) diff -r c4bf28ccab97 -r 592a18dac250 default_options.h --- a/default_options.h Wed Mar 20 17:33:15 2019 +0300 +++ b/default_options.h Wed Mar 20 14:44:49 2019 +0000 @@ -196,6 +196,9 @@ * authorized_keys file into account */ #define DROPBEAR_SVR_PUBKEY_OPTIONS 1 +/* Disable if your kernel does not have multiple user support */ +#define DROPBEAR_SVR_MULTIUSER 1 + /* Client authentication options */ #define DROPBEAR_CLI_PASSWORD_AUTH 1 #define DROPBEAR_CLI_PUBKEY_AUTH 1 diff -r c4bf28ccab97 -r 592a18dac250 svr-agentfwd.c --- a/svr-agentfwd.c Wed Mar 20 17:33:15 2019 +0300 +++ b/svr-agentfwd.c Wed Mar 20 14:44:49 2019 +0000 @@ -151,6 +151,7 @@ if (chansess->agentfile != NULL && chansess->agentdir != NULL) { +#if DROPBEAR_SVR_MULTIUSER /* Remove the dir as the user. That way they can't cause problems except * for themselves */ uid = getuid(); @@ -159,6 +160,7 @@ (seteuid(ses.authstate.pw_uid)) < 0) { dropbear_exit("Failed to set euid"); } +#endif /* 2 for "/" and "\0" */ len = strlen(chansess->agentdir) + strlen(chansess->agentfile) + 2; @@ -170,10 +172,12 @@ rmdir(chansess->agentdir); +#if DROPBEAR_SVR_MULTIUSER if ((seteuid(uid)) < 0 || (setegid(gid)) < 0) { dropbear_exit("Failed to revert euid"); } +#endif m_free(chansess->agentfile); m_free(chansess->agentdir); @@ -216,6 +220,7 @@ gid_t gid; int ret = DROPBEAR_FAILURE; +#if DROPBEAR_SVR_MULTIUSER /* drop to user privs to make the dir/file */ uid = getuid(); gid = getgid(); @@ -223,6 +228,7 @@ (seteuid(ses.authstate.pw_uid)) < 0) { dropbear_exit("Failed to set euid"); } +#endif memset((void*)&addr, 0x0, sizeof(addr)); addr.sun_family = AF_UNIX; @@ -262,10 +268,12 @@ out: +#if DROPBEAR_SVR_MULTIUSER if ((seteuid(uid)) < 0 || (setegid(gid)) < 0) { dropbear_exit("Failed to revert euid"); } +#endif return ret; } diff -r c4bf28ccab97 -r 592a18dac250 svr-auth.c --- a/svr-auth.c Wed Mar 20 17:33:15 2019 +0300 +++ b/svr-auth.c Wed Mar 20 14:44:49 2019 +0000 @@ -276,7 +276,7 @@ /* check if we are running as non-root, and login user is different from the server */ uid = geteuid(); - if (uid != 0 && uid != ses.authstate.pw_uid) { + if (!(DROPBEAR_SVR_MULTIUSER && uid == 0) && uid != ses.authstate.pw_uid) { TRACE(("running as nonroot, only server uid is allowed")) dropbear_log(LOG_WARNING, "Login attempt with wrong user %s from %s", diff -r c4bf28ccab97 -r 592a18dac250 svr-authpubkey.c --- a/svr-authpubkey.c Wed Mar 20 17:33:15 2019 +0300 +++ b/svr-authpubkey.c Wed Mar 20 14:44:49 2019 +0000 @@ -347,6 +347,7 @@ snprintf(filename, len + 22, "%s/.ssh/authorized_keys", ses.authstate.pw_dir); +#if DROPBEAR_SVR_MULTIUSER /* open the file as the authenticating user. */ origuid = getuid(); origgid = getgid(); @@ -354,13 +355,16 @@ (seteuid(ses.authstate.pw_uid)) < 0) { dropbear_exit("Failed to set euid"); } +#endif authfile = fopen(filename, "r"); +#if DROPBEAR_SVR_MULTIUSER if ((seteuid(origuid)) < 0 || (setegid(origgid)) < 0) { dropbear_exit("Failed to revert euid"); } +#endif if (authfile == NULL) { goto out; diff -r c4bf28ccab97 -r 592a18dac250 svr-chansession.c --- a/svr-chansession.c Wed Mar 20 17:33:15 2019 +0300 +++ b/svr-chansession.c Wed Mar 20 14:44:49 2019 +0000 @@ -949,6 +949,7 @@ #endif /* HAVE_CLEARENV */ #endif /* DEBUG_VALGRIND */ +#if DROPBEAR_SVR_MULTIUSER /* We can only change uid/gid as root ... */ if (getuid() == 0) { @@ -972,6 +973,7 @@ dropbear_exit("Couldn't change user as non-root"); } } +#endif /* set env vars */ addnewvar("USER", ses.authstate.pw_name);